Spyware Tunnels in on Winamp Flaw

← Back to Stories (view on slashdot.org)

Spyware Tunnels in on Winamp Flaw

Posted by Hemos on Monday February 6, 2006 @01:37AM from the hey-now-get-your-upgrade-on dept.

Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software. "After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."

34 of 176 comments (clear)

It's that Damn Llama's Fault by eldavojohn · 2006-02-06 01:40 · Score: 4, Interesting

Once upon a time, I used Winamp.

And it was good.

It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.

Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.

I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now ... etc.

On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted ... the hot keys may have still been there but what I was looking for in a media player was not. For some reason, they seemed to think that competing with Windows Media Player meant mimicking it to every detail. Fine. I never want to touch Windows Media Player, it's about as useful as my appendix. And now I feel the same way about Winamp.

Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.

Is this the first time this has happened? Nope, remember the zero day exploit that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.

"Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"

So what would I recommend? Well, if you're using Linux, I can think of at least ten things better but XMMS would probably be my favorite. If you're running Windows, I like to use Quintessential Player which can be modified to be as complicated as new Winamp or can be

--
My work here is dung.
1. Re:It's that Damn Llama's Fault by Robotech_Master · 2006-02-06 01:46 · Score: 3, Interesting
  
  Can't you get xmms compiled for Windows, too?
  
  Personally, I use iTunes now, because it just works with my iPod. I could probably use something else, but why bother?
  
  --
  Editor Emeritus and Senior Writer, TeleRead.org
2. Re:It's that Damn Llama's Fault by iezhy · 2006-02-06 01:46 · Score: 4, Insightful
  
  I used winamp too - until i found foobar2000
  
  It supports virtually all posible audio codecs, and sound quality is much better
3. Re:It's that Damn Llama's Fault by Anonymous Coward · 2006-02-06 01:48 · Score: 2, Funny
  
  Once upon a time, I used Winamp.
  
  Until there was a story on slashdot about spyware being installed via Winamp flaw. Someone posted to slashdot about the experiences they had with winamp, and suggested something called Quintessential Player. I love this person, because thanks to them, I just found a great replacement for winamp.
4. Re:It's that Damn Llama's Fault by metarox · 2006-02-06 01:54 · Score: 2, Informative
  
  Just for the record, Quinnware stopped the dev on the simple QCD player and started a bloated winamp 5 copy called Quintessential Media Player. Guess I'll be staying with the good old QCD 4.51 player for a long time.
5. Re:It's that Damn Llama's Fault by Anonymous Coward · 2006-02-06 01:56 · Score: 2, Informative
  
  While there isn't a Linux port of foobar 2000 yet, I've found Quod Libet to be a close-enough replacement for those of us who have gotten tired of whiz-bang graphics. Though mostly, I switched from xmms for the UTF-8 support (hey, that's the reason I switched from winamp too ;)
6. Re:It's that Damn Llama's Fault by zerocool^ · 2006-02-06 01:57 · Score: 4, Insightful
  
  For starters, you can go to www.oldversion.com and get winamp 2.95 along with a bunch of other versions. The train wreck that was winamp3 was also mostly corrected when they went to winamp5, and if you see from (http://www.winamp.com/player/free.php) there's a "lite" version that weighs in at 0.85MB, and which supports mp3, wav, ogg, au, midi, cda, aac, etc. Since it doesn't support modern skins, I would suspect that it's probably just a rehash of 2.9x
  
  I don't use the video features of Winamp. They were present in 2.95, but they weren't bloated yet. And I don't think it was a grab at the windows media player headspace. It really seemed like they just tacked it on because it wasn't hard to do. I think it uses the windows renderer and codecs anyway, just without all the crap in WMP.
  
  Anyway, yeah, I still use 2.95 of winamp, just like I still use instant messanger 4.8. I'm open to change; I'm just not going to "upgrade" to a bloated product. What is it with software these days, anyway? Every piece of software tries to be everything to everyone. Ugh.
  
  ~Will
  
  --
  sig?
7. Re:It's that Damn Llama's Fault by Anonymous Coward · 2006-02-06 02:22 · Score: 5, Informative
  
  I used winamp too - until i found foobar2000 [foobar2000.org]
  It supports virtually all posible audio codecs, and sound quality is much better
  From foobar2000.org:
  Does foobar2000 sound better than other players?
  No. Most of "sound quality differences" people "hear" are placebo effect (at least with real music), as actual differences in produced sound data are below their noise floor (1 or 2 last bits in 16bit samples). Foobar2000 has sound processing features such as software resampling or 24bit output on new high-end soundcards, but most of other mainstream players are capable of doing the same by now.
  :-)
8. Re:It's that Damn Llama's Fault by CastrTroy · 2006-02-06 02:52 · Score: 2, Insightful
  
  Did they code all their own codecs? Or do they use the standard codecs? Either way, I don't know how which application you use has any bearing on the sound quality. You can't make a badly encoded MP3 sound good.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
9. Re:It's that Damn Llama's Fault by mrdaveb · 2006-02-06 02:59 · Score: 4, Informative
  
  I agree that Winamp 2 used to be great and Winamp 3 was horribly bloated. But what you really want to do is run the latest Winamp 5 with either the tiny Lite version, or the full version without modern skins. It has the same small memory footprint as Winamp 2... The only advantage of using Winamp 5 is that some of the recently discovered security holes have probably actually been in there the whole time and you might be putting yourself at risk if you run a really old version.
  
  --
  Homme petit d'homme petit, s'attend, n'avale
10. Re:It's that Damn Llama's Fault by Sterling+Christensen · 2006-02-06 03:03 · Score: 2, Informative
  
  So what would I recommend? Well, if you're using Linux, I can think of at least ten things better
  
  That page is old: "Last Updated 8 Apr 2000" and some of the links are broken.
  
  Wikipedia has a nice media player comparison with an "Operating system support" table showing which ones run on Linux.
11. Re:It's that Damn Llama's Fault by gregbains · 2006-02-06 03:10 · Score: 2, Informative
  
  For all those interested here is the link: Quintessential Player
Oh by kvant · 2006-02-06 01:43 · Score: 5, Funny

I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!
1. Re:Oh by Belseth · 2006-02-06 01:59 · Score: 2, Funny
  
  I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!
  Wait'll the next version comes out. They'll be collecting credit card numbers and automatically billing your account so you won't even have to order the enlarging pills they'll simply show up in your mailbox along with the bank notice that your account is empty.
So now it... by Robotech_Master · 2006-02-06 01:43 · Score: 5, Funny

...whips your computer's ass, as well as the llama's.

--
Editor Emeritus and Senior Writer, TeleRead.org
1. Re:So now it... by Rosyna · 2006-02-06 03:04 · Score: 2, Insightful
  
  Well, it's not just Winamp. Seems no one can get this format correct. Even iTunes had a problem http://lists.apple.com/archives/security-announce/ 2005/Jan/msg00000.html although whether it was actually exploitable or not is something else.
Download link to latest version. by Futurepower(R) · 2006-02-06 01:46 · Score: 3, Informative

Link to WinAmp Free Player.
1. Re:Download link to latest version. by Dwedit · 2006-02-06 05:19 · Score: 2, Informative
  
  Here's some information guaranteed to piss off the Winamp employees:
  Change the download URL from this:
  http://download.nullsoft.com/winamp/client/winamp5 13_full_emusic-7plus.exe
  to this:
  http://download.nullsoft.com/winamp/client/winamp5 13_full.exe
  
  Then there's no more Emusic bundle. This url is not listed anywhere on the site.
Re:Why don't they make a law... by LiquidCoooled · 2006-02-06 01:49 · Score: 3, Insightful

Because there is nothing wrong with fucking up your own computer.
There is nothing wrong with telling people how to fuck up their computers as well.

There is however something wrong if you use these tools to automatically fuck up other peoples computers.

--
liqbase :: faster than paper
Vulnerability is optional by quentin_quayle · 2006-02-06 01:50 · Score: 5, Informative

I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.

Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js

This is assuming you use Mz or FF for web on Windows like a sensible person.
1. Re:Vulnerability is optional by Jugalator · 2006-02-06 02:32 · Score: 2, Informative
  
  I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.
  
  Or upgrade your Winamp to 5.13.
  
  --
  Beware: In C++, your friends can see your privates!
2. Re:Vulnerability is optional by yoyhed · 2006-02-06 05:34 · Score: 3, Insightful
  
  Know what else is funny? I don't remember this discussion being an OS debate. We've all heard your argument before, we all know Linux is less susceptible to spyware, and we know Microsoft was determined to be a monopoly by the courts.
  The grandparent poster's suggestion was assuming the user had Windows because the discussion is about fucking WINAMP, a WINDOWS program. I'd say anyone using Windows who was sensible would indeed use Firefox (or Opera), as the GP said.
  You don't need to jump on every comment that mentions Windows and promote Linux in such a zealous/inflammatory fashion, especially when the comment about Windows was helpful and was promoting OSS like Firefox.
  
  --
  WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
Move Along by Billosaur · 2006-02-06 01:51 · Score: 5, Informative

As usual, nothing to see here...

From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.

Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?

--
GetOuttaMySpace - The Anti-Social Network
1. Re:Move Along by RonnyJ · 2006-02-06 02:20 · Score: 4, Informative
  
  Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?
  That's certainly an option, however Winamp is a hugely popular media player. I'm sure many Slashdot readers have Winamp, and wouldn't visit such a section regularly, so fairly 'big' stories like this should at least be posted to the front page too. At the very least, I know now that I need to update Winamp.
Re:Why don't they make a law... by CyricZ · 2006-02-06 01:54 · Score: 2, Informative

A legal solution to a technical problem will never work. The involvement of politicians likely won't lead to secure consumer-grade software.

The best thing to do is to use technologies that encourage secure programming. We're talking about garbage collected languages, for instance, that reduce the risks of buffer overflows. And beyond that, start using BSD or Linux rather than Windows. Of course the list goes on and on.

--
Cyric Zndovzny at your service.
Foobar2000 by Idimmu+Xul · 2006-02-06 01:55 · Score: 4, Informative

A small plug for the greatest MP3 player in existance, Foobar2000

It's so awesomely customisable, it hurts.

--
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
There are other applications to use by hcoder · 2006-02-06 02:16 · Score: 4, Informative

It should be noted that no application is secure enough (except some 'Hello World!' implementations). It's not unusual that one should get hotfixes, service packs, etc. to keep ones system (relatively) secure against crackers. If you like winamp get the update and relax. As other folks said you may use other applications, mplayer is my favourite one. Of course I run it on Linux.
last exploit I remember of winamp by British · 2006-02-06 02:22 · Score: 2, Informative

Was when that disaster known as Winamp TV came out. Porn site operators found out rather quickly you could incorporate pop-up ads when you connect to their streams. A simple preference change stopped this.
Problem? by towaz · 2006-02-06 02:53 · Score: 3, Informative

This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.h tml

--
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Winamp 5 == Winamp 2 by Anonymous Coward · 2006-02-06 02:58 · Score: 4, Interesting

Winamp 5 is essentially just an updated version of Winamp 2 renamed so that it would have a higher number than the trainwreck that was Winamp 3. There's no reason not to upgrade - all the "bloat" (modern skins, video support, media library, whatever) is an install-time option. Even with all the "bloat", I find that so long as I use a classic skin, its reasonably lightweight. (Modern skins, of course, eat up more CPU/memory).

If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.
Still lite by Bizzeh · 2006-02-06 02:59 · Score: 3, Informative

winamp is still lite, you dont HAVE to install the extra features.
you dont HAVE to install the library,
you dont HAVE to install the modern skin support,

remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about

--
portfolio
Version 5.13 Already Out by Ranger · 2006-02-06 03:04 · Score: 3, Informative

That information would have been useful had WinAmp not told me that version 5.13 was already available. A WEEK AGO!

I don't know what's worse on Slashdot, a dupe, a roland, or old news.

--
"You'll get nothing, and you'll like it!"
(ot) Re:Now I know.. by tehshen · 2006-02-06 05:38 · Score: 2, Informative

I just installed the Normal version. Not the prettiest app I've ever seen.

1) It fits in with your current theme, so if you're using the toy Windows XP theme, it's going to look like that.

2) Nobody thinks that's a good answer, so if you want a better-looking foobar you'll need Columns UI (which you get if you downloaded Full) and see the faqs for it. You can get formatting strings here. (Azrael is sexy.)

--
Guy asked me for a quarter for a cup of coffee. So I bit him.
Just one question by SuperKendall · 2006-02-06 05:51 · Score: 4, Insightful

Are there more computers running OS X than there are active copies of WinAMP?

If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?

Food for thought.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley